The trade association for the industry’s largest companies recommends relying on vendor declarations.
If governments are going to insist on using certification schemes — like the Defense Department’s new Cybersecurity Maturity Model Certification program — in efforts to improve cybersecurity, they should at least consider technology vendors’ own assessments, the Information Technology Industry Council said in new policy principles.
“Governments should consider alternatives to certification, such as supplier’s declaration of conformity/vendor attestation,” reads the policy recommendation released two weeks ago.
The suggestion is among six items the group offered for governments’ consideration, amid the Defense Department’s high-profile rejection of “self-attestation” in developing its CMMC program.
ITI Senior Vice President for Policy and Senior Counsel John Miller said the guidance is meant for a global audience, and highlighted the traction certification schemes have had not just within the U.S. and the European Union but also in countries like Brazil and India.
“Cybersecurity certification is not a comprehensive, one-size-fits-all solution, nor should it be considered a solution of first resort,” the document reads. “Nonetheless, if governments choose to set regulations to mandate certification schemes even after recognizing the limitations of certification, we recommend they follow six key considerations.”